Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.

XSS, or (Cross Site Scripting), in layman's terms, is basically summed up as sending code snippets through URLs, Guest Books, Forums, Message Boards, and other means of web interaction. XSS has become perhaps one of the #1 problems for a lot of major web sites.

2. Why?

One of the main reasons to use XSS is for people to force others to their site. By a simple javascript command, inserted correctly, I can (not here of course, but on exploitable forums) send a user directly to http://www.google.com.

Usually, when people do this, they redirect people to their cookie stealer, so they can perhaps gain access to their account, or find out other personal information. Most little script kiddies, though, will make some annoying alert boxes, or popup porn websites.

3. How?

XSS is most commonly used in guestbooks. The most vulnerable guestbooks, that contain no filtering, usually don't have any sensitive information that you need a user's cookie for. These unprotected guestbooks are simply practiced on. For example, if I inserted this raw section of javascript into an unfiltered guestbook, I would recieve a popup box saying "XSS".

For more commercial guestbooks and forums, like Xanga and Myspace, this code would have to be drastically manipulated to be executed.

4. Real Example

I found an XSS exploit in a quite popular guestbook, the HTML Gear guestbook by Lycos. This guestbook is pretty tightly filtered in the comment section so I tried elsewhere. In the below picture you see a text box that is marked "Homepage URL". Apparently, whatever you type in here is placed into an HTML code for a link: <a href="What you entered in textbox">What you entered in textbox</a>. Now, if I put a single quote ( " ) in my entry, the link would contain whatever I entered before it in the text box, because the single quote would end the value for the <a href> tag. That means, whatever I put after the single quote, could be used a javascript command in the <a href> tag. For this tutorial, I will use the "OnMouseOver" javascript event handler. But, in reality, it's really up to you for what event handler you decide to use. After the OnMouseOver event handler, I'm going to have a simple alert box pop up saying "XSS". For this I would use alert('XSS'). So, for my entire entry, I would put:

When that code is put into my guestbook entry, it fits nicely into the <a href> tag, as shown in the picture below. Go ahead, try it. Everytime you roll over the link it pops up an XSS alert box. NOTE: IN THE PICTURES, I DID NOT SUBMIT THE ENTRY, BECAUSE THESE CAN GET YOU IN TROUBLE. LYCOS MOST LIKELY LOGS IP'S. Feel free to experiment on your own, but remember that I am not recommending to do anything stupid, annoying (refer to script kiddies), or malicious. Have fun.

i got a question for you..say if you were to make a site,such as a javascripted site or a html or xss or whatever with input boxes, how would you get that information that the person has imputed into those fields to your possession? You would need some sort of server right? Thats where im stuck at. I'm kind of lost on how to set up one, providing that i only have one computer.

First of all, you need ANY kind of server to put your site on the web. XSS isn't language, it's just an acronym for Cross Site Scripting, therefor you couldn't write a webpage with it. And no, you don't necesarily need a server with cgi/php/perl/etc (geocities). If I remember correctly, you can have a javascript file write it to a text file, even though its not secure at all. If you have a server that supports php or other similarly functioning language (not geocities), you can do (in php for example) a simple $_GET["text field name here"] and have that be written to database. So basically, if you don't care about security, go with a javascript file. If you want security, find a PHP supporting host (try googling "xlphp") and make the site there.

If you look at the and of the javascript code (the very first code), you see that the cookie variable is defined as "document.cookie", which means whatever the particular viewing users cookie is. Then look at the PHP code, see that it takes the "cookie" variable (document.cookie) and writes it to the text file called cookies.txt. Thats pretty much it.

Not entirely. However, some sites make use of cookies to know if you ticked the 'Stay logged in' box. If you retrieve the cookies, you can go to the site and you'll be logged in as the user in question. This is however only if you're lucky. Most use some sort of a security mechanism aside from cookies to make sure that the session isn't being hijacked.